During spring quarter 2018, a group of Jackson School undergraduates and graduate students spent the quarter tackling the issue of systemic cyber risk as part of an Applied Research Project (now named Global Research Group) for Microsoft’s Digital Diplomacy team.

The team used financial systemic risk as an analogy for a hypothetical systemic cybersecurity risk regime, examining how cybersecurity could be seen in terms of systemic risk, how systemic cyber risk could be defined and analyzed, and which institutions and countries are most relevant to systemic cyber risk and mitigation.

The team was made up of nine researchers, two senior researchers, and a faculty member with expertise in cybersecurity. The nine researchers were Conor Cunningham, Cynthia Hannon, Mariam Malik, Rachel Paik, Rishi Paramesh, Heidi Samford, Kunat Sangcharoenvanakul, Sarah Sanguinet, and Alison Wattles. The two senior researchers, Allison Anderson and Alexander Wirth also contributed research, writing, and editing. Dr. Jessica Beyer directed the project.

The project was the sixth product of a Jackson School Applied Research collaboration with Microsoft’s Digital Diplomacy Team. The Applied Research Program, founded by Professor Sara Curran, matches teams of top-achieving Jackson School students with private and public sector organizations seeking dynamic, impactful, and internationally-minded analyses to support their strategic and operational objectives.

Executive Summary of the Report

The report analyzes regulatory regimes for international financial services and mechanisms for addressing systemic financial risk in order to identify approaches to the formation of an international regime that could manage systemic risk within the realm of cybersecurity. Additionally, it provides insight into the best practices of financial regulatory regimes and suggests the possibility of future international cybersecurity regulation.

The report articulates financial systemic risk as the possibility that the failure of a component of a financial institution will result in a large-scale failure within the financial sector. The principle of systemic risk is analogous to cybersecurity in that the failure of one component of cybersecurity infrastructure may trigger larger-scale failures including the collapse of critical infrastructure.

To determine how systemic cyber risk may be addressed, the report analyzes and assessed various regulatory measures used or proposed in the financial sector. We suggest how models to address financial risk may be transposed into potential models to mitigate systemic cyber risk. Specifically, we suggest that the indicators of systemic financial risk developed in the Third Basel Accord can be transposed to systemic cyber risk, as well as methods such as stress testing to measure resilience, limiting damage, and systemic risk taxation.

Examining the institutions that exist in the financial sector to mitigate systemic financial risk can provide examples of potential strategies to mitigate systemic cyber risk. We examine institutions that play roles in the mitigation of systemic financial risk, such as the Federal Reserve and the Financial Stability Board, and suggest that similar institutions could act in the realm of cybersecurity.

Next, we identify potential stakeholders important to the formation and promotion of a future cybersecurity regulatory regime. These stakeholders include governments, militaries, intelligence agencies, Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Organizations (ISAOs), Information Sharing and Analysis Centers (ISACs), law enforcement agencies, civilian regulatory agencies, private industry, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). Some countries and international stakeholders, such as member states on the United Nations Security Council (UNSC), or the International Monetary Fund (IMF), have already had some involvement in influencing international cybersecurity policies and are in a position to drive a potential international regime.